Want to Join Us ?

you'll be able to discuss, share and send private messages.

Python ida pro keypatch by Key stone engine

Discussion in 'Plugins' started by storm shadow, Aug 4, 2016.

Share This Page

  1. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    Keypatch

    Keypatch is a IDA Pro plugin for Keystone Assembler Engine.
    Keypatch consists of 2 tools inside.
    • Patcher: this allows you to type in assembly to directly patch your binary.
    • Assembler: this interactive tool let you enter assembly & get back instruction encoding.
    Keypatch is confirmed to work on IDA Pro version 6.4, 6.8 & 6.9, but should work flawlessly on older versions. If you find any issues, please report.
    1. Why Keypatch?

    Sometimes we want to patch the binary while analyzing it in IDA, but unfortunately the built-in asssembler of IDA Pro is not adequate.
    • Only X86 assembler is available. Support for all other architectures is totally missing.
    • The X86 assembler is not in a good shape, either: it cannot understand many modern Intel instructions.
    Keypatch was developed to solve this problem. Thanks to the power of Keystone, our plugin offers some nice features.
    • Cross-architecture: support Arm, Arm64 (AArch64/Armv8), Hexagon, Mips, PowerPC, Sparc, SystemZ & X86 (include 16/32/64bit).
    • Cross-platform: work everywhere that IDA works, which is on Windows, MacOS, Linux.
    • Based on Python, so it is easy to install as no compilation is needed.
    • Open source under GPL v2.
    Keypatch can be the missing piece in your toolset of reverse engineering.






    2. Install

    • Install Keystone core & Python binding for Python 2.7 from keystone-engine.org/download. Or follow the steps in theappendix section.
    • Copy file keypatch.py to IDA Plugin folder, then restart IDA Pro to use Keypatch.
      • On Windows, the folder is at C:\Program Files (x86)\IDA 6.9\plugins
      • On MacOS, the folder is at /Applications/IDA\ Pro\ 6.9/idaq.app/Contents/MacOS/plugins
      • On Linux, the folder may be at /opt/IDA/plugins/
    NOTE
    • On Windows, if you get an error message from IDA about "fail to load the dynamic library", then your machine may miss the VC++ runtime library. Fix that by downloading & installing it from https://www.microsoft.com/en-gb/download/details.aspx?id=40784
    • On other *nix platforms, the above error message means you do not have 32-bit Keystone installed yet. See appendix section below for more instructions to fix this.





    3. Usage

    • To patch your binary, press hotkey CTRL+ALT+K inside IDA to open Keypatch Patcher dialog.
      • The original assembly, encode & instruction size will be displayed in 3 controls at the top part of the form.
      • Choose the syntax, type new assembly instruction in the Assembly box (you can use IDA symbols).
      • Keypatch would automatically update the encoding in the Encode box while you are typing, without waiting forENTER keystroke.
        • Note that you can type IDA symbols, and the raw assembly will be displayed in the Fixup control.
      • Press ENTER or click Patch to overwrite the current instruction with the new code, then automatically advance to the the next instruction.
        • Note that when the new code is shorter than the original code, the extra bytes will be filled in with NOPs by default. Uncheck the choice Padding extra bytes with NOPs if this is not desired.
      • By default, the modification you made is only recorded in the IDA database. To apply these changes to the original binary (thus overwrite it), choose menu Edit | Patch program | Apply patches to input file.
    [​IMG]
    • To do some code assembling (without overwritting binary), open Keypatch Assembler from menu Edit | Keypatch | Assembler.
      • Choose the architecture, address, endian mode & syntax, then type assembly instruction in the Assembly box.
      • Keypatch would automatically update the encoding in the Encode box while you are typing, without waiting forENTER keystroke.
    [​IMG]
    4. Contact

    Email keystone.engine@gmail.com for any questions.
    For future update of Keypatch, follow our Twitter @keystone_engine for announcement.
    Appendix. Install Keystone for IDA Pro

    IDA Pro's Python is 32-bit itself, so it can only loads 32-bit libraries. For this reason, we have to build & install Keystone 32-bit. This section details the steps towards that goal.
    A1. Windows

    It is easiest to just download & install Python 2.7 module for Windows from http://www.keystone-engine.org/download. Be sure to get the 32-bit version, regardless of your Windows edition.
    If you prefer to compile from source, just use MSVC 32-bit & follow the instructions in Windows documentation to buildkeystone.dll. After that, install Python module as in Python documentation. Then copy keystone.dll to the directory of Keystone Python module.
    A2. MacOS

    Since version 0.9.1, by default Keystone is built in universal format, so you just need to follow the instruction in Unix documentation to compile & install it. After that, install Python module as in Python documentation.
    In short, you can simply run the following commands in the source directory of Keystone to do all the above.
    Code (Text):
    $ mkdir build
    $ cd build
    $ ../make-share.sh
    $ sudo make install
    $ cd bindings/python
    $ sudo make install
    A3. Linux

    If your system is Linux 32-bit, you can do the same steps as in MacOS above.
    In case you are on 64-bit Linux, you need to cross compile Keystone to 32-bit. Since version 0.9.1, Keystone supports lib32option to make this easy. After building the core, install Python module as in Python documentation.
    Note that to cross-compile on Linux, you need to install some multilib libraries. For example, on Ubuntu 14.04 64-bit, do this with:


    Code (Text):
    $ sudo apt-get install lib32stdc++-4.8-dev libc6-dev-i386
    After having multilib dependencies, run the following commands in the source directory of Keystone.




    Code (Text):
    $ mkdir build
    $ cd build
    $ ../make-share.sh lib32 lib_only
    $ cd bindings/python
    $ sudo make install
    Finally, copy the 32-bit binaries at build/llvm/lib/libkeystone.so.* to the Python directory of IDA Pro, for example at/opt/IDAPro6.4/python/.
    Done? Now go back to section 2 & install Keypatch for IDA Pro. Enjoy!

    source
    https://github.com/keystone-engine/keypatch
     

    Attached Files:

  2. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    Keypatch 2.0

    September 14, 2016
    We are very excited to release Keypatch 2.0, a better assembler for IDA Pro!
    This new version of Keypatch brings some important features, as follows.
    • Fix some issues with ARM architecture (including Thumb mode)
    • Better support for Python 2.6 & older IDA versions (confirmed to work on IDA 6.4)
    • Save original instructions (before patching) in IDA comments.
    • NOP padding also works when new instruction is longer than original instruction.
    • You can fill a range of selected code via a new function “Fill Range”
    • It is now possible to “undo” (revert) the last modification.
    • All the functions are now available via a popup menu (right-mouse click)
    Get full list of new features & source code of Keypatch at keystone-engine.org/keypatch
    A quick tutorial for Keypatch is available.
     

    Attached Files:

    m4n0w4r and Rip Cord like this.
  3. m4n0w4r

    Well-Known Member

    Version 2.0.1
    • Fix an off-by-one bug in Fill-Range function.
    • Log more information when padding NOP
     

    Attached Files:

    Rip Cord and storm shadow like this.
  4. samoray

    Active Member

    Hello guys,
    I'm trying to install Keypatch on my IDA 7.0 pro, but I got this error:
    Code (Text):
    Labeless::Labeless
    Labeless: Python initialized... OK
    C:\Program Files\IDA 7.0\plugins\keypatch.py: No module named keystone
    Traceback (most recent call last):
      File "C:\Program Files\IDA 7.0\python\ida_idaapi.py", line 553, in IDAPython_ExecScript
        execfile(script, g)
      File "C:/Program Files/IDA 7.0/plugins/keypatch.py", line 23, in <module>
        from keystone import *
    ImportError: No module named keystone
    OS: win10 1809 ent X64
    I already have Pythin 27 (both x86 and x64) installed and linked to sys PATH (see picture)
    Python-keystone 0.9.1 x32 installed as well

    [​IMG]

    Any Idea would be appreciated
     
  5. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    it could be that you have to use the Python-keystone x64 bit one, remember that ida 7.0 + is only 64 bit, even the x32 ida version.

    Also that said, you wouldent need the python 2.7 x86 anymore.

    Also tested it with 7.0 + and the code in the plugin is not compatible with 7.0, even when it says in the readme.
     
    m4n0w4r and samoray like this.
  6. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    For it to work , we would need to write ida menu action handlers.
    I can take a look.
     
    Last edited: Oct 21, 2018
    m4n0w4r likes this.
  7. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    Last edited: Oct 21, 2018
    Rip Cord and samoray like this.
  8. samoray

    Active Member

    Ok, for now I deleted all links for the Python 32bit version in system PATH, that should get it away .
    so far no error log onthe keystone dll but I get this insted:
    Code (Text):
    """
     
    Failed while executing plugin_t.init():
     
    Traceback (most recent call last):
     
    File "C:/Program Files/IDA 7.0/plugins/keypatch.py", line 1449, in init
     
    menu = idaapi.add_menu_item("Edit/Keypatch/", "Patcher (Ctrl-Alt-K)", "", 1, self.patcher, None)
     
    AttributeError: 'module' object has no attribute 'add_menu_item'
     
    """"
    is this a problem with hot key setting or what?
    Thanks
     
  9. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    see last post i made about raw github code.
     
  10. m4n0w4r

    Well-Known Member

    You can use both python 32-bit (for IDA 6.8) and python 64-bit (for IDA 7.0).
    Create a .bat file to set env for python x64 like this:

    Code (Text):
    @ECHO off
    set PYTHONHOME=C:\Python27x64
    set PYTHON=%PYTHONHOME%\python.exe
    set PYTHONPATH=%PYTHONHOME%\Lib\site-packages
    set PYTHONSCRIPT=%PYTHONHOME%\Scripts
    set PATH=%PATH%;%PYTHON%
    set QT_QPA_PLATFORM_PLUGIN_PATH=%PYTHONPATH%\PyQt5\plugins\platforms
    REM set QT_QPA_PLATFORM_PLUGIN_PATH=C:\Program Files\IDA 7.0\platforms
    After that, if you want to use IDA 7.0, must run the .bat file first and then ida.exe / ida64.exe .. All from command line!!

    Regards,
     
    Rip Cord, samoray and storm shadow like this.
  11. samoray

    Active Member

    Thank you for the tip. that works perfectly. saving the raw code to keypatch.py in IDA plugins folder did the job ;).
    but how does the already compiled one did not work. I dont understand??
     
  12. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    some sort of error when downloading the code
    when downloading the latest release , you would see that in line 1552 it uses idaapi witch is deprecicated. and version check is missing
    Code (Text):
    if idaapi.IDA_SDK_VERSION >= 700:
    so it jumps to the old
    Code (Text):
    idaapi.add_menu_item
     
    Rip Cord and samoray like this.
  13. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

Top